1
Healthcare Information and Technology
in the Age of GDPR
Session 171 I February 13, 2019
Peter Gocke, MD, CDO at Charité - University Medical Center Berlin
Florian Benthin, Senior Manager at Deloitte
2
Peter Gocke, MD, CDO at Charité - University
Medical Center Berlin
and
Florian Benthin, Senior Manager at Deloitte
have no real or apparent conflicts of interest to
report.
Conflict of Interest
3
Agenda
6
7
8
1
2
3
4
5
What is the EU-GDPR*
Comparison EU-GDPR and HIPAA**
EU-GDPR Basics and other Laws
First Steps to EU-GDPR
Introduction Charité
Data Privacy Status in 2017
Our Approach to EU-GDPR
Where we are today and Conclusion
* = European Union - General Data Protection Regulation (short: GDPR) ** = U.S. Health Insurance Portability and Accountability Act
4
1
2
3
Analyze your organization's
current situation with regard
to data privacy
Identify the gap to actual
regulations requirements
Create a management structure and
assign roles to a task force addressing
the translation towards a data privacy
conform organization
Learning Objectives
5
The journey of EU-GDPR
In 1995, the European
Union released the
European directive
95/46/CE relative to
personal data
protection
The European Commission
proposed to reform the current
fragmented legal framework to
deal with the new challenges for
the protection of personal data
1995
2012
2016
2018
The EU-GDPR was released on 24th
May 2016 and will replace the former
1995 EU Data Protection Directive,
thereby create a harmonized data
protection law across Europe
The EU-GDPR became
effective as of 25 May
2018 across the EU,
after a two year
implementation period
Source: Deloitte
6
Countries potentially in scope of the new regulation
190+
Potential fines of the global turnover; applies also to cross-
boarder organizations which have access to EU data
Facts & Figures
4%
Core rights for individuals are afforded under the new law: The
right to inform, access, rectification, erasure, etc.
8
Hours given to report a data breach
72
Potential cost of a 4% fine for the Charité
$68M
Estimated number of new Data Protection Officers
required in Europe (IAPP study 2016)
28,000
New requirements in the EU-GDPR
80+
Pages
88
Chapters Articles
11 99
Source: Deloitte, International Association of Privacy Professionals (IAPP) Study
7
1. In May 2018, the EU-GDPR replaced the old Data Protection
Directive, that had been law in the EU for the past 20 years
2. EU-GDPR impacts any business that operates or collects data in
or from Europe
3. As the EU-GDPR is a regulation, not a directive, it is directly
obligatory and applicable
4. There are several fundamental rights for individuals included
5. The law defines what should be done, not how
6. Does not stand alone and is underpinned by national law, for
example by the IT Security Act in Germany
EU-GDPR Basics in a nutshell
Source: Deloitte
8
Details about the EU-GDPR
Applies to data of individuals located in the European Economic
Area, regardless of the location of the processing organization
Data protection settings to be implemented into products and
services and privacy settings must be set to a high level by default
The data controller is under a legal obligation to notify the
supervisory authority within 72 hours, without undue delay
Sanctions can be imposed of up to a fine of €20 million or 4% of the
annual worldwide turnover (whichever is greater)
Individuals must be informed about data and its collection, e.g. how
long data is retained, or about automated decision-making, etc.
Location
Principle
Fines
Responsibility
Data protection by
design & by default
Data breaches
Source: Deloitte
9
Details about the EU-GDPR (cont.)
Rights for individuals, incl. the right to be informed, to access their
data, to rectification, to erasure, to restrict processing, to data
portability, to object and to restrict automated decisions and profiling.
Data Subject Rights
If the organization has a presence in more than one country within the
EU, a “Lead-DPA” or “Supervisory Authorityneeds to be appointed
Lead Data Protection
Authority
An appointment of a Data Protection Officer (DPO) is required by
local law
Accountability
Unless an individual agreed to a data processing consent, data
could not be processed
Lawful basis of
processing
Source: Deloitte
10
Other relevant Laws
Source: Deloitte
EU-GDPR
Directive 95/46/EG on the
protection of individuals with
regard to the processing of
personal data and on the free
movement of such data
Directive 2002/22/EG of the
European Parliament and of the
Council of 7 March 2002 on
universal service and users'
rights relating to electronic
communications networks and
services
EU Law
Federal Data Protection Act
(BDSG)
IT Security Law
Tele communications Act (TKG)
Tele media Act (TMG)
Signature Law (SigG)
Regulation on electronic
signature (SigV)
Media services state treaty
(MDStV)
Federal Law
State Data Protection Act
(BDSG)
Archives Act (ArchivG)
Law on the implementation of
the law on Article 10 of the Basic
Law (AG G 10 NW)
Professional Code of Medical
Associations
Professional Code of
Pharmacists Associations
Professional Code of Dentist
Associations
State Law
Sample Professional Code for
German Physicians (MBO), e.g.
§9 Para. 1 Secrecy of
Physicians
German Code of Criminal
Procedures (StPO), e.g.
§53 Para. 2 Refuse to testify,
§97 Para.1 Confiscation ban,
§103 Para.1 Limited search right
for medical practices
Medical &
Church Law
EU
GER
11
Excursus: IT Security Law
Before IT Security LawBefore IT Security Law Now with IT Security LawNow with IT Security Law
Safety equals costs
No prevention obligation
No external reporting
In case of security breach:
o Solve internally
o Audit internally
o Hire external specialists
o Optional report to
authority
o Close breach
Safety equals costs
No prevention obligation
No external reporting
In case of security breach:
o Solve internally
o Audit internally
o Hire external specialists
o Optional report to
authority
o Close breach
Minimum level of security
Compliance test every 2 years
Report obligation of security breach
Prevention:
o Audit of external experts
o Implement recommended actions
In case of security breach:
o Report
o Consult authorities
o Close breach
Minimum level of security
Compliance test every 2 years
Report obligation of security breach
Prevention:
o Audit of external experts
o Implement recommended actions
In case of security breach:
o Report
o Consult authorities
o Close breach
Source: Deloitte
12
Category Extend HIPAA EU-GDPR
What
is in scope
The HIPAA Privacy Rule covers all
individually identifiable health
information
EU
-GDPR covers any data
from which
a living individual is
identifiable
(directly and indirectly)
Definition of Health
Information
-
Physical Health
Information (PHI) is
defined as any individually identifiable
information relating
to past, present
or future physical or mental health
condition, the provision of health care
or the payment of health care
EU
-GDPR additionally defines data
concerning health as
personal data
relating to the physical or mental
health
of an individual, including the
provision of health care services, which
reveal information about his or her
health status
Who is in scope
A covered entity is a
health care
provider who electronically
transmits PHI in connection with
certain HIPAA
-
covered transactions
(e.g., electronically bills a health plan).
HIPAA will apply to covered entities
and business associates within the
United States, even with respect to
non
-United States citizens or residents
Applies to organizations established
elsewhere, to the extent that the
organization processes personal
data of individuals based in the EU
and either (i) monitors the behavior of
data subjects within the EU, or (ii)
offers goods or services to individuals
within the EU
Source: https://iapp.org/news/a/gdpr-match-up-the-health-insurance-portability-and-accountability-act/
HIPAA vs. EU-GDPR (1/3)
13
HIPAA vs. EU-GDPR (2/3)
Category Extend HIPAA EU-GDPR
Consent
Permits the use of health
-related
personal data with
explicit consent
from the subject
Permits the use or disclosure of PHI
pursuant to an
individual’s
authorization
Medical treatment
Provides for the
processing of
sensitive personal information when
necessary for the
purposes of
preventative or occupational
medicine
,
for assessing the working capacity of
the employee, medical diagnosis, the
provision of health or social care or
treatment or management of health
Permits the use or disclosure of PHI
for treatment purposes
which
includes provision, coordination or
management of health care and related
services among health care providers
or by a health care provider with a third
party, consultation between health care
providers
Public Health
Permits processing of sensitive
personal information that is
necessary for public interest reasons
in the area of public health, such as
ensuring high standards of quality and
safety of health care and of medicinal
products or medical devices
Permits use or disclosure of
PHI to
public health authorities who are
legally authorized
to receive such
reports for the purpose of preventing or
controlling disease, injury or disability
Source: https://iapp.org/news/a/gdpr-match-up-the-health-insurance-portability-and-accountability-act/
14
HIPAA vs. EU-GDPR (3/3)
Category Extend HIPAA EU-GDPR
Research
Permits
processing sensitive
personal
information
for scientific
and
historical
research purposes
or
statistical
purposes
Provides
that PHI may be used
or
disclosed
for research purposes
The scope of data and entities covered by EU-GDPR is broader than
the data and entities covered by HIPAA. Organizations that processes,
use or discloses health information in the EU must firmly understand
the restrictions of the EU-GDPR regarding health data.
<
Source: https://iapp.org/news/a/gdpr-match-up-the-health-insurance-portability-and-accountability-act/
15
How to approach EU-GDPR
EU-GDPR-
focused gap
assessment
GDPR
Compliance
Roadmap
Data
Flow
Maps
Gap
Remedi-
ation
Support
Broad privacy
gap
assessment,
including EU-
GDPR
Design
& Build
PIA
Support
IT-focused
GDPR
Gap
assessment
Vendor
Risk
Support
Privacy
Governance
1. Use a Framework 2. Select areas for focus
Source: Deloitte
16
What to consider
Area of Consideration Next steps
AccountabilityAccountability
No up-to-date records of systems
and processes processing personal
information available
Perform a discovery to establish
lists of all personal information
processing activities
Establish a process to keep records
up to date
Purpose
Limitation
Purpose
Limitation
Reuse of data, i.e. allowing for
secondary usage of personal
information
Weak identity & access
management
Identify secondary data usages and
obtain necessary consent from
patients or stop secondary data
processing activities
Limit, regulate and manage access
to personal information
Source: Deloitte
= Area of significant effort. Start first!
17
What to consider (cont.)
Storage
Limitation
Storage
Limitation
Retaining personal data forever,
for “just in case”
Legacy IT systems with troves of
personal information
Identify instances were personal
information is stored for longer
than necessary and delete
unnecessary files
Privacy Impact
Assessments
Privacy Impact
Assessments
No standard procedures in place to
assess privacy risk prior to starting
new processes, projects
Privacy often acts as an ad-hoc
showstopper
Establish and implement a process
to evaluate privacy risks when
starting a new IT project or
changing a business process
Define what “high risk” or “risk”
means for you
= Area of significant effort. Start first!
Area of Consideration Next steps
Source: Deloitte
18
What to consider (cont.)
Privacy by
Design and by
Default
Privacy by
Design and by
Default
No documented standard process
to cope with privacy risk when
starting new projects and processes
Based on a PIA, identify
appropriate technical and
organizational measures to
mitigate risks and limit exposure
Data Subject
Rights
Data Subject
Rights
Agree on privacy notices and
consents; Provide access to
personal information; Allows user to
update or rectify data; Restrict
automatic processing; etc.
Check systems to cover consent
processes and a processes to
access and update patients
information
Identify instances of automatic
data processing
Area of Consideration Next steps
Source: Deloitte
= Area of significant effort. Start first!
19
What to consider (cont.)
Data
Breaches
Data
Breaches
Existing incident management and
reporting process does not meet
EU-GDPR requirements
Establish process to identify,
prioritize and report for data
incidents within 72 hours
Information
Security
Information
Security
Existing information security
measures to protect personal
information are insufficient
Implement appropriate technical
and organizational measures as
needed, such as encryption, data
aggregation and segregation, etc.
Area of Consideration Next steps
Source: Deloitte
20
How is
Germany´s
biggest Academic
Medical Center
facing these
challenges?
Picture Source & Rights: Wiebke Peitz / Charité Universitätsmedizin Berlin
21
Intro to Charité Berlin
The Charité is Europe’s biggest University Medical Center with ~3000
beds on four main campuses in Berlin
Ranked Germany’s Best Hospital (nonstop between 2013 and 2018)
17,100 employees - of these, about 4000 Clinicians and 4300 Nurses
146,000 inpatient Cases and 694,000 outpatient cases in 2016
1,6 billion € total revenue yearly, 150 million € in third-party funding
200 million € in subsidies for teaching and research
Charité educates > 7,000 students, 1,300 come from abroad
Research summary:
o 5 Projects of Excellence Initiative, 3 as project coordinator
o 14 Collaborative Research Area, 6 as project coordinator
o 1 Clinical Research Group (as project coordinator)
o 5 DFG Research Groups, 3 as project coordinator
o 3 German Centers for Health Research
Berlin
Germany
Source: Charité Universitätsmedizin Berlin
22
DP Status early 2018
The report of the “Berlin Delegate for Data Security
and Freedom of Information” was censorious
regarding the Charité.
In total, 24 deficiencies were observed, 20 of
which were already remedied, and 4 in current
remediation.
Deficiencies are categorized as follows:
Deficiency not existing (6x)
Deficiency already remediated (7x)
Remediation take more time (4x)
Deficiency remediated until end of 2018 (3x)
Remediation is in advanced progression (4x)
Source: Charité Universitätsmedizin Berlin
23
EU-GDPR Staffing
To cope with EU-GDPR, a Task Force with ~15 FTE was established:
Data security
Information
security
Project mgmt. Data Sec. Consulting
Project team
IT Sec. Consulting
Legal advice
On request
Source: Charité Universitätsmedizin Berlin
24
Organization Chart
Source: Charité Universitätsmedizin Berlin
Chief Executive
Officer
Data Protection
Office
Information
Security Office
Data Privacy
Officer (*)
(*) Legal requirement:
direct access to top
management (CEO)
new created position
25
Task Force EU-GDPR
Our EU-GDPR Task Force has 4 focus areas:
List of all information
processing activities
List of all information
processing activities
Contract
data processing
Contract
data processing
Privacy Risk
Assessment (PIA)
Privacy Risk
Assessment (PIA)
communication
& eLearning
communication
& eLearning
Source: Charité Universitätsmedizin Berlin
fields of activity
period finish status
Revision: Central information security concept
ongoing 28.02.2018 ready
ongoing 30.03.2018 ready
ongoing 25.05.2018
- Milestone: Completion: Survey of all systems (gap analysis) 12.02. – 23.02. 23.02.2018 ready
- Milestone: Assignment to processing activities 19.02. – 28.02. 28.02.2018 ready
- Milestone: all processing activities created 19.02. – 28.02. 28.02.2018 ready
- Milestone: central TOM mapped 19.02. – 23.03. 23.03.2018 ready
- Milestone: supplementary TOM mapped 26.02. – 20.04. 20.04.2018 delayed
- Milestone: PIA added 26.02. – 14.05. 14.05.2018 delayed
ongoing 30.03.2018 ready
- Revision of existing and creation of central regulations
ongoing 24.04.2018 ready
- Action guide, inventory and contract review
Privacy Impact Assessment (PIA
ongoing 24.04.2018 (ready)
- Action Guide: Responsibilities, processes, interfaces to VVT
ongoing 30.03.2018 ready
ongoing 25.05.2018
- Awareness campaign of the Executive Board Februar 2018 28.02.2018 ready
- Information for Employees März 2018 31.03.2018 ready
- Revision and extension of the training courses (also e-learning) April 2018 ongoing ready
25.05.2018
- Revision of Privacy Policy: Info Patients, Customers, Employees, Applicants ongoing 24.04.2018 ready
- Form adaptations (consents, admission contracts) ongoing 25.05.2018 ready
Revision: Central data protection concept
List of processing activities (VVT)
Rights of affected parties
reporting obligations
Awareness and staff trainings
Information obligations / consent and contract management
Contract regarding the processing of data
26
Our Approach to EU-GDPR
The Charité identified 278 processing activities.
With 2066 research trials, an holistic picture of all
processing activities has been generated.
List of all information
processing activities
List of all information
processing activities
49
103
126
278
46
89
122
257
0
50
100
150
200
250
300
Medical
Director
Charité
Centres
Administration Total
Data Processing Activities by Division
Identified documentation complete
Source: Charité Universitätsmedizin Berlin
27
Our Approach to EU-GDPR
The “Berlin Delegate
for Data Security and
Freedom of
Information” criticized
the few contracts with
our service providers
(facility management,
medical technology,
…). Hence, the
contracts have been
revised.
Contract
data processing
Contract
data processing
Source: Charité Universitätsmedizin Berlin
Identification
7 contracts
documented
before project
5000 contracts
checked by
lawyers
1
Development
61 contracts
are currently
under
development
Finalization
102 contracts
are finalized
2 3
When completed, 163 contracts of data processing will exist,
compared to 7 in the beginning.
28
Our Approach to EU-GDPR
Internal communicationInternal communication
Video message by Chairman
Employee information:
Data privacy guideline
“10 Golden Rules of Data
Privacy and Information
Security”
Presentation of current IT
Security Actions
Setup eLearning
communication
& eLearning
communication
& eLearning
Source: Charité Universitätsmedizin Berlin
Recorded Interview with Prof. Karl Marx
Einhäupl (CEO) and Janet Fahron (DPO)
29
Our Approach to EU-GDPR
Source: Charité Universitätsmedizin Berlin
30
Status as of Today
A large team of more than 15 FTE works
on the improvement of data privacy and
data security
We established the role of a CISO
(Chief Information Security Officer)
We closed 20 out of 24 gaps from the
2017 report
We completed the identification of all
processing activities
We started to work on the Privacy Impact
Assessment and to improve the quality
of the documentation of data processing
activities
List of all information
processing activities
List of all information
processing activities
Contract
data processing
Contract
data processing
Privacy Impact
Assessment (PIA)
Privacy Impact
Assessment (PIA)
communication
& eLearning
communication
& eLearning
Source: Charité Universitätsmedizin Berlin
31
Takeaways
Source: Charité Universitätsmedizin Berlin
ProcessProcess
Records of processing activities, privacy impact assessments and
technical / organizational measures need a life cycle management
Data Privacy and Information Security need shared system (DPISMS)
Continuous staff education and training is crucial
StructureStructure
The Data Privacy Officer needs to have a consulting / auditing role
Various EU-GDPR challenges require a dedicated full-time Data
Protection Management Team
Team reports directly to CEO
32
For partners / vendors
Source: Charité Universitätsmedizin Berlin, InTouch Health
33
Deep (!) technical details to be discussed with DPODeep (!) technical details to be discussed with DPO
Not only GDPR, several additional regulations are to be considered
Project ERIC: Enhanced Recovery after Intensive Care
Tele-Medicine service for external hospitals (“Tele-ICU”)
Vendor / supplier of AV communication solution (XaaS) forced to
modify session initiation …
For partners / vendors
Source: Charité Universitätsmedizin Berlin
34
Questions?
Your Speakers:
Dr. med. Peter Gocke
Chief Digital Officer, Charité - University Medical Center Berlin
Phone +49 30 450 570 025 | E-Mail peter.gocke@charite.de
@pgocke pgocke
Florian Benthin
Senior Manager, Life Sciences & Health Care, Deloitte
Phone +49 40 32080 4803 | E-Mail fbenthin@deloitte.de
@fbenthin fbenthin
Please complete online session evaluation.